Cisco Catalyst SD-WAN’s Lawful Intercept feature allows an LEA to get a copy of network traffic for analysis or evidence. This is also referred as traffic mirroring. See the chapter Lawful Intercept in the Cisco Catalyst SD-WAN Policies Configuration Guide.

From Cisco vManage Release 20.9.1, Cisco Catalyst SD-WAN implements a new architecture for Lawful Intercept , as shown in the following figure.

The following are the characteristics of the new architecture:

• Traffic mirroring is outside the scope of Cisco Catalyst SD-WAN. The LEA works with the corresponding service provider to capture network traffic for mirroring.

  Note	In the illustration above, the service provider is an underlay connection and the IPsec tunnel is an overlay connection.

• Because the captured network traffic is encrypted, Cisco SD-WAN Manager and Cisco SD-WAN Controller provide key information to the LEA.

• The LEA retrieves the keys from Cisco SD-WAN Manager to decrypt Cisco Catalyst SD-WAN IPsec traffic. The LEA ensures that they retrieve key information is retrieved during each rekey period. The rekey period is provided by the service provider. For more information about retrieving keys, see Retrieve an Intercept. For information on rekey period, see Configure Data Plane Security Parameters.

A Lawful Intercept administrator is solely responsible for configuring intercepts and creating Lawful Intercept API users who perform Lawful Intercepts. A Cisco SD-WAN Manager administrator can create an account for the Lawful Intercept administrator; the administrator must be a member of the li-admin group. For more information about creating an account for a Lawful Intercept administrator, see Create Lawful Intercept Administrator.

• A Cisco SD-WAN Controller must be set to vManage mode.

• For more information about decrypting the IPsec traffic in Cisco Catalyst SD-WAN, contact Cisco Support or Cisco Sales team.

• It is not necessary to configure edge devices for Lawful Intercepts.

  Note	To configure an intercept, an administrator must select the edge devices that have to be included in the intercept. This is necessary because the key information that is retrieved from Cisco SD-WAN Manager also includes the keys for the selected devices.

• The service provider captures the data traffic for interception. Traffic is not intercepted from the edge devices.

Note	The Lawful Intercept feature can be configured only through Cisco SD-WAN Manager, and not through the CLI.

To configure Lawful Intercept in Cisco SD-WAN Manager, perform the following steps:

1. Create Lawful Intercept Administrator

2. Create Lawful Intercept API User

3. Create an Intercept

Using the Admin account in Cisco SD-WAN Manager, create an account for the Lawful Intercept administrator.

1. From the Cisco SD-WAN Manager menu, choose Administration > Lawful Intercept.

2. Click Add User to create a Lawful Intercept administrator user account.

3. In the Full Name field, enter a full name for the Lawful Intercept administrator.

4. In the User Name field, enter a user name for the Lawful Intercept administrator. The user name must be prefixed with li-.

5. In the Password field, enter a password for the Lawful Intercept administrator.

6. Confirm the password in the Confirm Password field.

7. From the User Group drop-down list, choose li-admin, and then click Add.

   The newly created Lawful Intercept administrator user account is displayed in the Users window.

The Lawful Intercept API User account is for those users of LEA who log in and retrieve key information using Cisco SD-WAN Manager's REST API. These are the users who perform a lawful intercept of the Cisco Catalyst SD-WAN IPsec traffic.

The LEA use https://{vmanage_ip}/dataservice/li/intercept/retrieve/<intercept_id> to retrieve the key information.

To create a Lawful Intercept API user, perform the following steps:

1. Log in to Cisco SD-WAN Manager as a Lawful Intercept administrator.

   Note	When a Lawful Intercept administrator logs in to Cisco SD-WAN Manager, only the Monitor and Administration options are available in the Cisco SD-WAN Manager menu.

2. From Cisco SD-WAN Manager menu, choose Administration > Lawful Intercept.

3. Click Add User to create an Lawful Intercept API user account.

4. In the Full Name field, enter a full name for the Lawful Intercept API user.

5. In the User Name field, enter a user name for the Lawful Intercept API user. The user name must be prefixed with li-.

6. In the Password field, enter a password for the Lawful Intercept API user.

7. Confirm the password in the Confirm Password field.

8. From the User Group drop-down list, choose li-api, and click Add.

   The newly created Lawful Intercept API user account is displayed in the Users window. The LEA can log in to Cisco SD-WAN Manager using the Lawful Intercept API user account to retrieve key information.

Minimum supported release: Cisco vManage Release 20.9.1 and Cisco Catalyst SD-WAN Control Components Release 20.9.1

Configure an intercept to collect intercept data. To configure an intercept, do the following:

1. From the Cisco SD-WAN Manager menu, choose Administration > Lawful Intercept.

2. Click the Intercepts tab, and then click Add Intercepts.

3. Cisco Catalyst SD-WAN Manager Release 20.12.1 and later releases:

   From the Tenant drop-down list, choose a tenant. For more information about adding a tenant, see Add a New Tenant.

4. In the Intercept ID field, enter a number. Enter a minimum of two digits and a maximum of 25 digits.

5. In the Description field, enter a description for the intercept.

6. By default the Enable toggle button is enabled. However, the intercept remains in an inactive state after it is created.

7. Click Next.

   In single-tenant mode, the Add Edge Devices pop-up window displays all the edge devices in the Cisco Catalyst SD-WAN network.

   Cisco Catalyst SD-WAN Manager Release 20.12.1 and later releases:

   In multi-tenant mode, the Add Edge Devices pop-up window displays all the single-tenant edge devices associated with the selected tenant.

8. Click one or more edge device names to add to the intercept and click Next.

   Cisco SD-WAN Manager provides the keys for the edge devices selected here.

   Note	Specify an intercept warrant for all the edge devices that are added to the intercept.

   When an edge device is added for interception, all its peer devices, which are connected in the same network, are also available for Lawful Interception.

9. The Add LI API users pages displays all the LI-API users created by the Lawful Intercept administrator.

10. Click one or more user names to add to the intercept. The users selected here can retrieve key information that is required for interception from Cisco SD-WAN Manager. For information on how keys are retrieved for an intercept, see Retrieve an Intercept.

11. Click Summary

    The summary of the intercept is displayed.

12. Click Submit. The Intercepts page displays the configured intercept.

13. Click Sync to vSmart to synchronize the configured intercept configuration in Cisco SD-WAN Manager with Cisco SD-WAN Controller.

    A progress page displays the status of the synchronization and activation. After successful synchronization, the Activate State field displays a green check mark.

    Note	The Activate State field displays a green check mark status only if Cisco SD-WAN Controller is set to vManage mode.

    If there are any additional Lawful Intercept tasks, a red dot is displayed on the task list icon in the Cisco SD-WAN Manager toolbar. Click the tasks list icon to view a list of all the active and completed Lawful Intercept tasks. You can view up to 500 latest Lawful Intercept tasks.

    If an intercept is modified, the Sync to vSmart button is enabled. Click Sync to vSmart to synchronize the intercept configuration in Cisco SD-WAN Manager with Cisco SD-WAN Controller.

    Note	The Sync to vSmart button is enabled only when a new intercept is created, or when an intercept is edited or deleted.

    To retrieve key information that is required for interception, click …, and then click Get IRI. The IRI is retrieved from Cisco SD-WAN Controller and displayed in Cisco SD-WAN Manager.

An LEA is responsible to periodically retrieve key information because this information is required to decrypt the traffic captured by the MSP.

An LEA can retrieve key information by using Cisco Catalyst SD-WAN Manager REST APIs.

1. An LEA logs in to Cisco SD-WAN Manager as a Lawful Intercept API user.

2. After a Lawful Intercept API user is authenticated, the LEA sends a request using the Cisco SD-WAN Manager REST APIs specifying the intercept ID that it wants to get the key information for.

3. When a request from the LEA is received by Cisco SD-WAN Manager, Cisco SD-WAN Manager forwards the request to the Cisco SD-WAN Controller on which intercepts are configured.

4. Cisco SD-WAN Controller then retrieves the key information for the specified intercept ID and returns the key information to Cisco SD-WAN Manager in JSON format.